Consider sandboxed environment for agent execution

[iliall]

Summary

Currently mini-swe-agent runs in a local environment (default_type="local") which executes commands directly on the host machine. When processing repositories from untrusted datasets, this could lead to arbitrary code execution.

Current Behavior

env = get_environment(config.get("environment", {}), default_type="local")

Potential Mitigations

1. Container-based environment: Use mini-swe-agent's container environment if available
2. Explicit opt-in: Require explicit flag/env var to enable local execution
3. Dataset trust level: Add dataset metadata indicating trust level
4. Documentation: Prominently document the risk for users

Priority

Medium - acceptable for controlled research datasets, but should be addressed before processing arbitrary/untrusted data.

References

• src/generator.py:_run_agent()

[m13v]

this is important - we run agents against untrusted codebases too and sandbox isolation is essential. git worktrees give you filesystem isolation cheaply (each agent gets its own working directory) but for true execution sandboxing you probably want containers or at minimum a restricted shell. we use worktrees for the filesystem layer and rely on the MCP server architecture to control what system calls the agent can actually make.

[m13v]

here's how we isolate agent execution through the MCP server layer - each tool call goes through controlled access: https://github.com/mediar-ai/terminator/blob/main/crates/terminator-mcp-agent/src/server.rs

and the element-level access control that prevents agents from touching UI outside their scope: https://github.com/mediar-ai/terminator/blob/main/crates/terminator/src/element.rs